Q1 2023 Web3 Security Overview
In addition to attacks, Beosin EagleEye also monitored 41 major rug pull incidents throughout Q1 2023, which involved a sum of approximately $20.34 million.
March saw the highest frequency of attacks, with total losses reaching $235 million, accounting for 79.7% of the overall losses in Q1.
In terms of project types, DeFi was the type with the most attacks and highest loss this quarter. A total of $248 million was lost in 42 DeFi security incidents, representing 84% of the total amount lost.
In terms of blockchain types, Ethereum accounted for 80.8% of the total losses, making it the most affected blockchain by loss amount.
In terms of attack types, flashloans caused the most losses this quarter, with eight flashloan attacks costing approximately $198 million; the most common attack type was contract vulnerability exploits, with 27 exploits accounting for 44% of all incidents.
Approximately $200 million of stolen assets were recovered during the quarter, surpassing the recovery rate of any quarter in 2022.
Regarding audit status, only 41% of the attacked projects had undergone an audit prior to the incidents.
Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?
2 Overview of Exploits
Overall, the total loss from attacks showed a monthly increase in the first quarter. March was a month with a high frequency of attack incidents, with total losses reaching $235 million, accounting for 79.7% of the total losses in the first quarter.
3 Types of Attacked Projects
84% of loss amount was from DeFi
As the crypto market faced an extended downturn and numerous black swan events causing deleveraging, it eventually reached a bottom and began to bounce back. Concurrently, DeFi's Total Value Locked (TVL) experienced fluctuations, ultimately showing signs of recovery throughout the first quarter in tandem with cryptocurrency prices.
In Q1 2023, there was only one cross-chain bridge security incident, resulting in a loss of $130,000. In contrast, in 2022, 12 cross-chain bridge security incidents caused a combined loss of approximately $1.89 billion, ranking first among all project types in losses. Following the high frequency of cross-chain bridge security incidents in 2022, the security of cross-chain bridge projects significantly improved during this quarter.
4 Loss Amount by Chain
Ethereum account for 80.8% of losses
In Q1 2023, there were 17 major attacks on Ethereum, resulting in total losses of approximately $238 million. Ethereum saw the highest loss of any blockchain, accounting for 80.8% of the total loss.
BNB Chain saw the highest number of attacks, totaling 31. Its overall losses amounted to $19.48 million, ranking second among all blockchains.
Algorand ranked third in terms of losses, primarily due to the MyAlgo wallet incident. Notably, there were no major security incidents on Algorand in 2022.
It is worth mentioning that in 2022, Solana ranked third among all blockchains in terms of losses. However, no major security incidents were detected on Solana during this quarter.
5 Attack Type
Flash loans were the most common type of attack during the quarter, with eight flash loan incidents costing approximately $198 million, or 67 percent of all losses.
The most frequent attack type was contract vulnerability exploits, with 27 exploits accounting for 44% of all incidents. Contract vulnerabilities resulted in an accumulated loss of $39.05 million, the second highest amount of losses for all attack types.
Throughout the quarter, DeFi projects faced 42 separate attacks, with more than half (22 incidents) stemming from contract vulnerability exploits. This highlights the urgent need for DeFi projects to enhance the security of their smart contracts to avert potential threats.
By type of vulnerability, the top three that caused the highest losses were improper business logic/function design, permission issues and reentrancy. A total loss of $22.44 million was lost in 17 improper business logic/function design vulnerabilities.
6 Typical Security Incidents in Q1 2023
6.1 Euler Finance
6.2 BonqDAO
6.3 Platypus Finance
7 Stolen Fund Flow
8 Audit Analysis
In the first quarter of 2023, among the projects that were attacked, excluding 8 incidents that cannot be measured by audits (such as phishing attacks on individual users), there were 28 projects that had undergone audits and 25 that had not.
9 Rug Pulls
In the first quarter of 2023, a total of 41 major Rug Pulls were monitored in the Web3 sector, involving approximately $20.34 million.
In terms of amount, 6 projects (14.6%) rugged with over $1 million, 12 rug pulls (29.2%) ranged from $100,000 to $1 million, and 23 rug pulls (56%) involved amounts less than $100,000.
Out of the 41 Rug Pull incidents, 34 projects (83%) were deployed on BNB Chain. Why do so many scam projects choose BNB Chain? There might be several reasons:
1) BNB Chain has lower GAS fees and shorter block time intervals.
2) BNB Chain has a larger number of active users. Scam projects tend to choose chains with more active users.
3) For BNB Chain users, it is more convenient and faster to deposit and withdraw funds through Binance.